Merge pull request #1853 from PrivateBin/github-actions-hardening

harden github actions
This commit is contained in:
El RIDO 2026-06-10 18:39:33 +02:00 committed by GitHub
commit f1353de849
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 31 additions and 15 deletions

View file

@ -17,18 +17,20 @@ on:
schedule:
- cron: '45 16 * * 1'
permissions:
contents: read
security-events: write
permissions: {}
jobs:
codacy-security-scan:
name: Codacy Security Scan
permissions:
security-events: write
runs-on: ubuntu-latest
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout code
uses: actions/checkout@v6
with:
persist-credentials: false
- name: Remove folders causing errors in report
run: rm -rf doc img *.md

View file

@ -18,13 +18,13 @@ on:
schedule:
- cron: '28 22 * * 5'
permissions:
contents: read
security-events: write
permissions: {}
jobs:
analyze:
name: Analyze
permissions:
security-events: write
runs-on: ubuntu-latest
strategy:
@ -38,6 +38,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
persist-credentials: false
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL

View file

@ -12,8 +12,7 @@ on:
- 'js/package-lock.json'
- .github/workflows/eslint.yml
permissions:
contents: read
permissions: {}
jobs:
eslint:
@ -21,6 +20,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
persist-credentials: false
- name: Set up Node.js
uses: actions/setup-node@v6

View file

@ -15,6 +15,7 @@ jobs:
- name: Fetch changelog from tag
uses: actions/checkout@v6
with:
persist-credentials: false
sparse-checkout: CHANGELOG.md
sparse-checkout-cone-mode: false
@ -32,8 +33,8 @@ jobs:
steps:
- name: Collect artifacts
run: |
wget -q https://github.com/PrivateBin/PrivateBin/archive/refs/tags/${GITHUB_REF_NAME}.tar.gz
wget -q https://github.com/PrivateBin/PrivateBin/archive/refs/tags/${GITHUB_REF_NAME}.zip
wget -q "https://github.com/PrivateBin/PrivateBin/archive/refs/tags/${GITHUB_REF_NAME}.tar.gz"
wget -q "https://github.com/PrivateBin/PrivateBin/archive/refs/tags/${GITHUB_REF_NAME}.zip"
- name: Generate hashes
shell: bash

View file

@ -9,13 +9,13 @@ on:
pull_request:
branches: [ master ]
permissions:
contents: read
security-events: write
permissions: {}
jobs:
# https://github.com/snyk/actions/tree/master/php
snyk-php:
permissions:
security-events: write
runs-on: ubuntu-latest
if: |
github.repository == 'PrivateBin/PrivateBin' && (
@ -25,6 +25,8 @@ jobs:
github.event.pull_request.author_association == 'OWNER' )
steps:
- uses: actions/checkout@v6
with:
persist-credentials: false
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/php@master
continue-on-error: true # To make sure that SARIF upload gets called

View file

@ -15,6 +15,8 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v6
with:
persist-credentials: false
- name: Validate composer.json and composer.lock
run: composer validate
- name: Install dependencies
@ -42,6 +44,8 @@ jobs:
# let's get started!
- name: Checkout
uses: actions/checkout@v6
with:
persist-credentials: false
# cache PHP extensions
- name: Setup cache environment
@ -121,7 +125,7 @@ jobs:
name: PHP configuration combination unit tests
runs-on: ubuntu-latest
env:
php-version: '8.4'
php-version: '8.5'
extensions: gd, sqlite3
extensions-cache-key-name: phpextensions
@ -130,6 +134,8 @@ jobs:
# let's get started!
- name: Checkout
uses: actions/checkout@v6
with:
persist-credentials: false
# cache PHP extensions
- name: Setup cache environment
@ -214,11 +220,13 @@ jobs:
- name: Checkout
uses: actions/checkout@v6
with:
persist-credentials: false
- name: Setup Node
uses: actions/setup-node@v6
with:
node-version: '18'
node-version: '20'
cache: 'npm'
cache-dependency-path: 'js/package-lock.json'